Monday, October 3, 2011

Some system administrators do not understand Mandatory Access Control (MAC) and how it interacts with Discretionary Access Control (DAC) in Linux.
In a previous post, I stated Security-Enhanced Linux (SELinux) employs MAC rules to facilitate fine-grained security. I also discussed some of the collection of rules which form standard SELinux policies such as Targeted and Strict.
I received some emails from readers which said they weren't clear on how MAC and DAC work together in the operating system. Since I am a hands-on guy, I love to see real-world examples, so that's what I am going to show you.
I have configured a standard CentOS 5.6 Linux system with default Apache web server packages installed. The sestatus(8) command reports the operating system is enforcing the default SELinux Targeted policy.# /usr/sbin/sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: enforcing
Policy version: 21
Policy from config file: targeted
Using the -Z argument to the ps(1) command shows the Apache daemon (httpd) is executing in the (httpd_t) domain: # /bin/ps -aefZ |/usr/bin/grep httpd
root:system_r:httpd_t root 24855 1 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24856 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24857 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24858 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24859 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24860 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24862 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24863 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
root:system_r:httpd_t apache 24864 24855 0 10:23 ? 00:00:00 /usr/sbin/httpd
I will use the curl(1) command to retrieve a URL from the Apache web server -- this is equivalent to a web browser accessing the URL. By default, the provided Apache packages establishes the document root as /var/www/html. So, we will create a test.html file in the document root with a permissive DAC and a MAC which the httpd_t domain is not allowed to access.# cd /var/www/html
# /bin/touch test.html
# /usr/bin/chcon system_u:object_r:shadow_t test.html
# /bin/ls -lZ test.html-rw-r--r-- root root system_u:object_r:shadow_t test.html
I have temporarily set the SELinux context of this file to be of shadow_t type using the chcon(1) command.
This restrictive type is set on the /etc/shadow system file -- a web server would have no reason to access a file of this type. Using the -Z option to the ls(1) command you can see the type is now shadow_t in the SELinux context.
Note the DAC mode (-rw-r--r--) of the file permits the owner to read and write (rw), the group to read (r), and everybody else [other] is able to read (r) the file.
However, when I try to retrieve the file the MAC rule in the SELinux policy FORBIDS the process running in the httpd_t domain from accessing files of type shadow_t -- REGARDLESS of the permissive DAC mode:# /usr/bin/curl -I http://localhost/test.html
HTTP/1.1 403 Forbidden
Date: Fri, 23 Sep 2011 14:48:51 GMT
Server: Apache/2.2.3 (CentOS)
Connection: close
Content-Type: text/html; charset=iso-8859-1
The SELinux policy also defines default SELinux contexts for directories and file patterns. When the system is rebooted or the restorecon(8) utility is called, file system objects are labeled according to the policy. I will use the restorecon utility to restore (set) the SELinux context on our test file appropriately:# /sbin/restorecon test.html
# /bin/ls -Z test.html
-rw-r--r-- root root system_u:object_r:httpd_sys_content_t test.html
In order for the Apache web server running in the httpd_t domain to read files in its document root (/var/www/html), the files should be of http_sys_content_t type.
Now, I am able to access the file:# /usr/bin/curl -I http://localhost/test.html
HTTP/1.1 200 OK
Date: Fri, 23 Sep 2011 14:50:16 GMT
Server: Apache/2.2.3 (CentOS)
Last-Modified: Fri, 23 Sep 2011 14:40:32 GMT
ETag: "15aac8-6-ca935800"
Accept-Ranges: bytes
Content-Length: 6
Connection: close
Content-Type: text/html; charset=UTF-8
This simple real-world example demonstrates how MAC rules supersede DAC settings. I encourage you to read the system documentation and experiment on lab systems. Too often system administrators become frustrated by "AVC Denial" messages and resort to disabling this enhanced security.